Information acquisition enabled/disabled inspection system

ABSTRACT

A technique for acquiring information. In response to receiving a request to read data stored in a database, said data is read from said database. In response to receiving a request to deliver particular data among said read data at a point in time when said particular data is to be used, it is determined whether said delivery request satisfies predetermined criteria. Said particular data is delivered in response to determining that said delivery request satisfies said predetermined criteria.

RELATED APPLICATIONS

This application is a National Stage filing under 35 U.S.C. §371 ofInternational Application No. PCT/JP2004/011149, filed on Aug. 4, 2004,which claims the benefit under 35 U.S.C. 365(b) of Japan Application No.2003/303908, filed on Aug. 28, 2003, which is incorporated herein in itsentirety by this reference.

TECHNICAL FIELD

The present invention relates to a database system having the capabilityof determining whether or not access by an application program(hereinafter referred to as an “application”) to information stored in adatabase (hereinafter referred to as a “DB”) satisfies predeterminedcriteria.

BACKGROUND

For sensitive information such as personal information, a criteria suchas personal information protection policy (for example a P3P policy,hereinafter simply referred to as a “policy”) may be established for thepermission of disclosure of the information. If information stored in aDB is protected with such criteria, access from an application to theinformation is checked to see whether the access satisfies the criteriabefore the information can be provided to the application. Theinformation is provided to the application only if the access satisfiesthe criteria. Conventionally, determination as to whether accesssatisfies criteria has been made at the point of time when informationstored in a DB is physically accessed (for example see Non-patentliterature 1).

Non-patent literature 1 describes a method for determining whetheraccess to personal information complies with personal informationprotection policy. The specific procedure is as follows.

First, an application obtains a DB connection in a conventional mannerand issues an SQL query to the DB. A logic for policy compliance isprovided in the DB, where the SQL query is translated into a querycompliant with a policy. That is, when the translated SQL query isexecuted, only the information that complies with the policy can beacquired as a result of the query. The result of the query is providedto the application as is, and personal information that does not complywith the policy is not provided to the application.

[Non-patent literature 1] Rakesh Agrawal, Jerry Kiernan, RamakrishnanSrikant, Yirong Xu: “Hippocratic Databases,” in proceedings ofinternational Conference on Very Large Data Bases (VLDB) 2002: pp.143-154, Springer, 2002

DISCLOSURE OF THE INVENTION Problems to be Solved by the Invention

However, the technique described in Non-patent literature 1 requiresthat all items of information accessed be checked to determine whetherthe access complies with a policy before the result of the query can beprovided to the application. For example, if access is attempted to1,000 people's personal information, a policy compliance check for the1,000 people must be performed before the result of the query can beprovided to the application. Thus, the technique has the problem of slowresponse to DB access, since the application must wait until the policycompliance check on all of the personal information is completed.

Furthermore, the policy compliance checking may be performed on personalinformation that is not actually used by the application. For example,even though the application accesses 1,000 people's personalinformation, the application uses possibly only 100 people's informationout of that information. This means that 900 people's personalinformation has been unnecessarily checked for compliance with thepolicy.

The present invention has been made in order to solve the technicalproblem described above and an object of the present invention is toefficiently determine whether or not access by an application toinformation stored in a DB satisfies predetermined criteria.

SUMMARY OF THE INVENTION

To achieve the object, according to the present invention, determinationas to whether or not access by an application to information stored in aDB satisfies predetermined criteria is made at the point of time when arequest to obtain the result of access is received from the application,rather than the time point at which the application physically accessesa record in the DB. That is, the database system according to thepresent invention includes: data storing means for storing data to beprotected; data processing means for performing predetermine processingby using the data stored in the data storing means; and data protectionmeans for, when receiving from the data processing means a request toread the data stored in the data storing means, reading the data fromthe data storing means and, when receiving from the data processingmeans a request to deliver particular data among the data, deliveringthe particular data to the data processing means if the delivery requestsatisfies predetermined criteria.

Furthermore, according to the present invention, determination as towhether or not access to information stored in a DB satisfiespredetermined criteria is made by inquiring of a policy server, at thetime point when the information is used. That is, a system of thepresent invention for checking whether or not information is permittedto be acquired includes a first computer using data stored in a DB and asecond computer managing criteria for the use of the data, wherein: thefirst computer reads the data stored in the DB and, at the point of timewhen particular data among the data is used, sends information about theuse of the particular data to the second computer; the second computer,when receiving the information about the use of the particular data,determines on the basis of the criteria whether or not the firstcomputer is permitted to use the particular data, and returns the resultof the determination to the first computer; and the first computer usesthe data when receiving from the second computer information indicatingthat the first computer is permitted to use the particular data.

Furthermore, the present invention can be viewed as an informationacquiring method for acquiring information from a DB. The method of thepresent invention for acquiring information includes the steps of: whenreceiving a request to read data stored in the DB from an applicationprogram, the reading data from a DB; when receiving a request to deliverparticular data among the read data from the application program,determining whether or not the delivery request satisfies predeterminedcriteria; and delivering the particular data to the application programif it is determined that the delivery request satisfies thepredetermined criteria.

In another aspect, the present invention can be viewed as a computerprogram for implementing functions for acquiring information from a DB.The program according to the present invention causes a computer toimplement the functions of: when receiving a request to read data storedin the DB from an application program, the reading data from a DB; whenreceiving a request to deliver particular data among the read data fromthe application program, determining whether or not the delivery requestsatisfies predetermined criteria; and delivering the particular data tothe application program if it is determined that the delivery requestsatisfies the predetermined criteria.

Advantages of the Invention

According to the present invention, determination can be efficientlymade as to whether or not access by an application to information storedin a DB satisfies predetermined criteria.

PREFERRED EMBODIMENT

An embodiment of the present invention will be described below in detailwith reference to the accompanying drawings. It is assumed in thepresent embodiment that “personal information” is information to beprotected and “personal information protection policy” is criteria thataccess must satisfy.

Focusing attention on the fact that the timing at which access topersonal information in a DB is made differ from the timing at whichthat personal information is used by the application, the presentinvention solves the problem by performing a policy compliance check atthe latter timing (delayed evaluation).

In particular, instead of checking all personal information forcompliance with a policy before returning the result of a query to anapplication, a “controlled query result”, which has the function ofpolicy compliance checking, is returned to the application. Theapplication requests personal information from the “controlled queryresult” at the point of time when the application actually uses thepersonal information. The “controlled query result” performs a policycompliance check at this point of time and returns the requestedpersonal information depending on the result of the check.

FIG. 1 shows an overall configuration of a database system according tothe present embodiment.

As shown in FIG. 1, the database system includes an application 10, apersonal information DB 20, a policy server 30, and a privacy protectionmodule 40.

The application 10 is a program that uses personal information stored inthe personal information DB 20 to perform various kinds of processing.For example, the application may be a program that searches the personalinformation DB 20 for personal information and displays the result on adisplay.

The personal information DB 20 is a DB that stores personal information.For example, data as shown in FIG. 2 is stored in the personalinformation DB 20.

The policy server 30 is a server that manages personal informationprotection policies and, in response to a policy compliance checkrequest, performs a policy compliance check on the basis of a personalinformation protection policy and returns the result of the check. Thepolicy server 30 manages personal information protection policies suchas the one shown in FIG. 3, for example. The table in FIG. 3 is used forpolicy compliance checking based on a P3P policy. Specifically, it showsthat Tokyo-area sales personnel can access the names, addresses, andphone numbers of people whose addresses contain Tokyo, for the purposeof sales activities only.

The privacy protection module 40 is a program that retrieves personalinformation stored in the personal information DB 20 upon reception of arequest for retrieval of the personal information from the application10, and requests the policy server 30 to perform a policy compliancecheck upon reception of a request for delivery of a particular subset ofthe retrieved personal information, and provides the particular personalinformation to the application 10 only if a response indicating that therequest complies with the policy is returned. While the privacyprotection module 40 is provided separately from the application 10 inFIG. 1, it may be a module that functions as an integral part of theapplication 10.

The privacy protection module 40 includes a control section 41, anaccess information storing section 42, an SQL information storingsection 43, an SQL constructing section 44, a column identifying section45, a database accessing section 46, a policy compliance inquiry section47, and a inquiry result storing section 48.

The control section 41 serves as an interface with the application 10and controls overall flows. For example, the control section 41 acts asan application's-interface flow-control-logic in the privacy protectionmodule 40. The application 10 can access the personal information DB 20only through the control section 41.

The access information storing section 42 stores information requiredfor accessing the personal information DB 20 (hereinafter referred to as“access information”). Examples of the access information include userIDs and passwords required for accessing the personal information DB 20.The privacy protection module 40 manages these items of information tocontrol access by the application 10 to the personal information DB 20.

The SQL information storing section 43 stores information concerning SQLstatements that can be issued to the personal information DB 20(hereinafter referred to as “SQL information”) without causing problems.If the application 10 were allowed to construct SQL statements on itsown and issue them to the personal information DB 20, the application 10could issue SQL statements that destroy information stored in thepersonal information DB 20. To prevent this, the privacy protectionmodule 40 manages information required for constructing SQL statementsthat can be issued to the personal information DB 20 without problems.If all SQL statements that can be issued to the personal information DB20 without problems were to be provided in the SQL information storingsection 43, the number of the SQL statements would be enormous.Therefore, SQL statement templates containing variables that can bereplaced with input parameters (hereinafter referred to as “SQLstatement templates”) are managed.

FIG. 4 shows an example of information stored in the SQL informationstoring section 43. In FIG. 4, an SQL-ID, which is identificationinformation that uniquely identifies each SQL statement template isassigned to the SQL statement template.

Also in FIG. 4, protected column information and data owner ID columninformation are associated with each SQL statement template. Here, theprotected column information is information for identifying a columnthat is specified as a column to be protected among the columnsretrieved by using an SQL statement constructed from an SQL statementtemplate. The data owner ID column information is information foridentifying a column that is to be referenced in order to know the ownerof each item of data among the columns retrieved by using an SQLstatement constructed from an SQL statement template.

The SQL constructing section 44 is a section that retrieves one of theSQL statement templates stored in the SQL information storing section 43that is associated with an SQL-ID input by the application 10 and embedsparameters input by the application 10 in variables to construct an SQLstatement. The SQL constructing section 44 is equivalent to an SQLconstruction logic, for example, in the privacy protection module 40.

The column identifying section 45 is a section that identifies, on thebasis of information stored in the SQL information storing section 43, aprotected column and data owner ID column associated with an SQL-IDinput by the application 10. The column identifying section 45 isequivalent to a column identifying logic, for example, in the privacyprotection module 40.

The database accessing section 46 is a section that accesses the DB andholds the result of the access. For example, it is equivalent to a DBconnection which is a typical Java® class for accessing a DB. (Java® andall Java®-related trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and othercountries.)

The policy compliance inquiry section 47 is a section that issues aninquiry about policy compliance to the policy server 30 and receives andreturns the result of the inquiry. In particular, the policy complianceinquiry section 47 is equivalent to a policy compliance inquiry logic inthe privacy protection module 40.

The inquiry result storing section 48 is provided for reducing costs forcommunicating with the policy server 30 and the load placed by policycompliance checks. The inquiry result storing section 48 serves as acache memory for storing the results of inquires issued to the policyserver 30.

A hardware configuration of a typical computer system can be used as thehardware configuration of the database system in the present embodiment.In particular, any of the computer that executes the application 10, thecomputer that manages the personal information DB 20, the policy server30, and the computer that executes the privacy protection module 40 maybe a computer that includes a central processing unit (CPU) and a mainmemory, which are connected to an external storage through a bus. Theexternal storage may be a storage such as a hard disk, a flexible disk,an MO (Magneto-Optical disk), or CD-ROM, for example.

In the computer that executes the application 10, the application 10 isstored in an external storage and is loaded and executed by the centralprocessing unit (CPU) in the main memory to implement data processingmeans, not shown.

In the computer that manages the personal information DB 20, an externalstorage implements the personal information DB 20. The personalinformation DB 20 can be typically considered as data storage means.

In the policy server 30, a computer program for performing policycompliance checking is stored in an external storage and the centralprocessing unit (CPU) loads the computer program into the main memory toimplement the functionality of policy compliance checking. Policiesreferenced in policy compliance checking may be contained in thecomputer program or may be stored in an external storage separately fromthe computer program.

In the computer that executes the privacy protection module 40, theprivacy protection module 40 is stored in an external storage and isloaded and executed by the central processing unit (CPU) in the mainmemory to implement privacy protection means, not shown. The controlsection 41, access information storing section 42, SQL informationstoring section 43, SQL constructing section 44, column identifyingsection 45, database accessing section 46, policy compliance inquirysection 47, and inquiry result storing section 48 as program logicscontained in the privacy protection module 40 implement the controlsection 41, access information storing section 42, SQL informationstoring section 43, SQL constructing section 44, column identifyingsection 45, database accessing section 46, policy compliance inquirysection 47, and inquiry result storing section 48, respectively, asfunctions of the computer.

The computer that executes the privacy protection module 40 may executethe application 10 or may manage the personal information DB 20.Furthermore, the policy compliance checking function of the policyserver 30 may be included in the policy compliance inquiry section 47 ofthe privacy protection module 40 or may be included as a separateprogram running on the computer that executes the privacy protectionmodule 40. It should be noted that if the policy compliance checkingfunction is implemented by the policy server 30, which is an independentserver computer, modification to policies can be flexibly addressed.

Furthermore, each computer in the database system according to thepresent embodiment may have input devices such as a keyboard and apointing device connected to it or have an output device such as adisplay connected to it.

Operation of the database system according to the present embodimentwill be described below. In the following description of operation, theterms control section 41, access information storing section 42 SQLinformation storing section 43, SQL constructing section 44, columnidentifying section 45, database accessing section 46, policy complianceinquiry section 47, and inquiry result storing section 48 refer tocomponents as functions of a computer.

FIG. 5 is a flow chart of operation performed by the privacy protectionmodule 40 for retrieving data from the personal information DB 20 inresponse to a request from the application 10.

First, the privacy protection module 40 reads files used for thesubsequent process (step 501). In particular, the privacy protectionmodule 40 reads access information stored in an external storage into anarea in the main memory that is managed by the access informationstoring section 42 and reads SQL information stored in the externalstorage into an area in the main memory that is managed by the SQLinformation storing section 43.

Then, the control section 41 in the privacy protection module 40provides the SQL information read at step 501 to the application 10 inorder to construct an SQL statement that can be issued to the personalinformation DB 20 without causing a problem (step 502). In response tothis, the application 10 displays the association between SQL-IDs andSQL statement templates on a display to prompt a user to select an SQLstatement to be submitted to the personal information DB 20.

When the user responds to this by inputting the SQL-ID of an SQLstatement template from which an SQL statement the user wants to issueto the personal information DB 20 is constructed, parameters to beembedded in variables in the SQL statement template, and the purpose ofthe access, the application 10 provides the input SQL-ID, parameters,and purpose of the access to the privacy protection module 40. Theapplication 10 also identifies the accessing user by means ofinformation such as a user ID input during login to the application 10,and provides an accessor ID to the privacy protection module 40.

In the privacy protection module 40, the control section 41 receivesthese items of information (step 503) and provides the SQL-ID andparameters to the SQL constructing section 44.

Typically, SQL information is provided to an application 10 developerand the developer develops the application 10 on the basis of the SQLinformation. In that case, the application 10 can input the SQL-ID andthe step 502 of providing SQL information can be omitted. According tosuch typical implementation, the privacy protection module 40 receivesthe SQL-ID and parameters from the application 10 and, if the SQL-ID isinvalid (for example if a nonexistent SQL-ID is specified), returns anerror to the application 10. Only if the SQL-ID is valid, the privacyprotection module 40 performs the following process.

The SQL constructing section 44 retrieves the SQL statement templateassociated with the provided SQL-ID from the SQL information storingsection 43 and embeds the provided parameters in the SQL statementtemplate to construct an SQL statement to be issued to the personalinformation DB 20 (step 504), and then returns it to the control section41.

For example, if the SQL-ID “S001” and parameter “TDL” are provided, thenthe SQL constructing section 44 generates the SQL statement “SELECT id,name, tel, hobby FROM pii_table WHERE department=“TDL””.

The control section 41 also provides the SQL-ID to the columnidentifying section 45.

The column identifying section 45 refers to the SQL information storingsection 43 to identify a column to be protected among the columnsretrieved by using the SQL statement associated with the SQL-ID provided(step 505). For example, when the SQL statement associated with theSQL-ID “S001” is issued, the columns “id”, “name”, “tel”, and “hobby”are returned. The column identifying section 45 refers to the SQLinformation storing section 43 and knows that the columns “name” and“tel” among those columns are columns to be protected and thereforenotifies the control section 41 that these columns are columns to beprotected.

The column identifying section 45 refers to the SQL information storingsection 43 to identify a column indicating the data owner ID in thecolumns retrieved by using the SQL statement associated with theprovided SQL-ID (step 506). For example, for the SQL statementassociated with the SQL-ID “S001”, the columns “id”, “name”, “tel”, and“hobby” are returned. By referring to the SQL information storingsection 43, the column identifying section 45 can know that the column“id” is the ID column of the data owner and therefore indicates this tothe control section 41.

As a result of the process described above, the control section 41 holdsinformation for determining whether a request for delivery of theretrieved data complies with a personal information protection policy,in addition to the access information required for accessing thepersonal information DB 20 and the SQL statement to be issued to thepersonal information DB 20.

In particular, information indicating “who” accesses “whose information”and “what kind of information” for “what purpose” is required in orderto protect personal information. Among these items of information,information indicating “who” accesses and for “what purpose” has beenprovided to the control section 41 at step 503. Information indicating“whose information” is accessed will be specified by the application 10as will be described later with reference to the flowchart in FIG. 6.Data owner ID column information used for determining whether or not theaccess to that person's information complies with the policy has beenprovided to the control section 41 at step 506. In addition, “what kindof information” is accessed will also be specified by the application 10as will be described later. Protected-column information used fordetermining whether or not the access to that information complies withthe policy has been provided to the control section 41 at step 505.

Then, the control section 41 generates database accessing section 46 (DBconnection) (step 507) and provides the held access information and SQLstatement to the database accessing section 46 to instruct it to accessthe personal information DB 20. In response to this instruction, thedatabase accessing section 46 uses the access information to access thepersonal information DB 20 and issues the SQL statement (step 508).Access from the application 10 to the personal information DB 20 isavailable only through the privacy protection module 40. Thus, classesrelating to database access are wrapped by the privacy protection module40, thereby preventing access by the application 10 to the personalinformation DB 20 without restraint.

Then, the database accessing section 46 obtains the result of the queryand holds it (step 509).

If the SQL statement “SELECT id, name, tel, hobby FROM pii_table WHEREdepartment=“TDL”, for example, is issued to the personal information DB20, then the “ID”, “name”, “TEL” and “hobby” in the information ofpeople whose “department” is “TDL” are obtained. In particular, items ofinformation such as “0001, Taro Yamada, 03-xxxx-xxxx, yyy” and “0003,Hanako Sato, 090-xxxx-xxxx, YYY” are retrieved in the example shown inFIG. 2.

Then, the database accessing section 46 notifies the control section 41that it has obtained the result of the query, and the control section 41then notifies it to the application 10 (step 510).

In Java®, information in a DB can be acquired by specifying the ordinalnumber of the record and the ordinal number of the column containing theinformation to be acquired and receiving the information from a class(ResultSet) that holds the result of a query. Therefore, the notifiedapplication 10 specifies a record and column to actually use, therebyrequesting the privacy protection module 40 to deliver the data.

In particular, if the application 10 is a program that lists “name”information in the personal information included in the result of aquery in order, the application 10 requests “name” information in thefirst record by the first delivery request and requests “name”information in the second record by the second delivery request. Itrepeats such a request until the user inputs an instruction to stop thelisting of the information. The user may input an instruction to stopdisplay before issuing requests for all information if the user finddesired information in 50 people's information displayed on a displayscreen capable of displaying up to 50 people's information at a time.

Operation performed by the privacy protection module 40 for deliveringdata retrieved from the personal information DB 20 in response to adelivery request from the application 10 will be described below.

FIG. 6 is a flowchart of the operation. As described above, after theapplication 10 is notified of the acquisition of the result of the queryat step 510, the application 10 requests the privacy protection module40 to deliver the data, item by item. Operation of the privacyprotection module 40 performed in response to one request from theapplication 10 for delivery of one particular item of data will bedescribed here.

In the privacy protection module 40, the control section 41 firstreceives the specification of a record and column from the application10 (step 601).

In response to this, the control section 41 acquires the information inthe specified record in the specified column from the result of thequery held by the database accessing section 46 (step 602).

For example, if the query result acquired at step 509 is “0001, TaroYamada, 03-XXXX-XXXX, YYY”, “0003, Hanako Sato, 090-XXXX-XXXX, YYY”, andso on, and the application 10 requests the information in the firstrecord in the second column (“name”), then the control section 41retrieves the information “Taro Yamada”.

Then, the control section 41 determines based on the protected columninformation identified at step 505 whether the requested column is to beprotected (step 603).

If the column requested is not a column to be protected, then thecontrol section 41 returns the acquired information to the application10 as is (step 610). For example, if the columns “name” and “TEL” arespecified as columns to be protected and the column “hobby” isrequested, the control section 41 returns the retrieved information tothe application 10 as is, because that column is not a column to beprotected.

On the other hand, if the requested column is to be protected, controlis passed to the policy compliance inquiry section 47, which thendetermines whether an inquiry result is already stored in the inquiryresult storing section 48 (step 604). If the inquiry result is stored inthe inquiry result storing section 48, then the policy complianceinquiry section 47 retrieves the inquiry result from the inquiry resultstoring section 48 (step 608); otherwise, the policy compliance inquirysection 47 inquires of the policy server 30 about the policy compliance(step 605). For example, the columns “name” and “TEL” are specified ascolumns to be protected and the column “name” is requested, the policysever 30 performs such policy compliance checking because the column“name” is a column to be protected.

Then, the policy server 30 performs policy compliance checking andreturns the result to the policy compliance inquiry section 47. Thepolicy compliance inquiry section 47 receives the result of the inquiryand returns it to the control section 41 (step 606) and, at the sametime, caches it in the inquiry result storing section 48 (step 607).

Specifically, the following process is performed. The assumption here isthat the control section 41 holds the accessor ID “E0001” (Tokyo-areasales personnel) and the purpose of the access “sales activity” as aresult of the processing at step 503, and also holds informationindicating that the columns “name” and “tel” are columns to be protectedas a result of the processing at step 505, and holds informationindicating that the column “id” is the data owner ID column as a resultof the processing at step 506. It is also assumed that the followingquery result has been obtained at step 509: “0001, Taro Yamada,03-XXXX-XXXX, YYY” in the first record and “0003, Hanako Sato,090-XXXX-XXXX, YYY in the second record. The policy server 30 holds thepersonal information protection policy shown in FIG. 3, which definesthe condition “Only if address includes Tokyo”. It is assumed that thepolicy compliance inquiry section 47 therefore knows that it should sendaddress information when requesting policy compliance checking. It isalso assumed here that the inquiry result storing section 48 does nothold the result of check on compliance with this policy.

Suppose that delivery of the second column in the first record includedin the result of the query is requested by the application 10 in thesituation described above. The control section 41 then provides to thepolicy server 30 through the policy compliance inquiry section 47 theaccessor ID “E0001” as the information indicating “who” is accessing,the purpose of access “For sales activities” as the informationindicating “what purpose”, the data owner ID “S0001” as the informationindicating “whose information”, and the column “name” as the informationindicating “what kind of information”. It also provides “Tokyo” as theaddress of the data owner to the policy server 30. In response to this,the policy server 30 returns “OK” as the result of the compliance check,because “E0001”, which indicates “Tokyo-area sales personnel”, isrequesting delivery of the “name” of “S001” whose “address includesTokyo” for the purpose of “sales activities” and hence the requestcomplies with the policy in FIG. 3.

On the other hand, suppose that delivery of the second column in thesecond record in the result of the query is requested by the application10. Then, the control section 41 provides to the policy server throughthe policy compliance inquiry section 47 the accessor ID “E0001” as theinformation indicating “who” is accessing, the purpose of access “forsales activities” as the information indicating “what purpose”, the dataowner ID “S0003” as the information indicating “whose information”, andthe column “name” as the information indicating “what kind ofinformation”. It also provides “Chiba” as the address of the data ownerto the policy server 30. In response to this, the policy server 30returns “NG” as the result of the compliance check, because “E0001”,which indicates “Tokyo-area sales personnel”, is requesting delivery ofthe “name” of “S003” whose “address includes Chiba” for the purpose of“sales activities” and hence the request does not comply with the policyin FIG. 3.

While the address of the data owner is sent from the policy complianceinquiry section 47 to the policy server 30 in the specific example, thedata owner ID alone may be sent for the policy compliance check if thepolicy server 30 holds the address of each individual owner.

If the request complies with the policy (YES at step 609), then thecontrol section 41 returns the personal information acquired at step 602to the application 10 (step 610). On the other hand, if the request doesnot comply with the policy (NO at step 609), then the control section 41does not return the personal information acquired at step 602 to theapplication 10 but returns an error message, for example, “PrivacyViolation!”, indicating a privacy compliance exception to theapplication 10 (step 611).

Thus, the operation according to the present embodiment ends.

If the present embodiment is implemented in Java®, a class that wraps anobject, “java®.sql.ResultSet”, for holding the result of a query iscreated and a logic that performs a policy compliance check isimplemented in the wrap class. Furthermore, java®.sql.ResultSet can beused as the interface for the wrap class to enable the application 10 toaccess privacy-protected personal information in exactly the same way asusing a normal ResultSet.

While in the foregoing description SQL statement templates used as abasis for constructing SQL statements to be issued to the personalinformation DB 20 are provided as shown in FIG. 4 such that inputparameters can be embedded, SQL statements themselves may be provided sothat they can be presented through the application 10 if the number ofSQL statement patterns used are small.

While a column to be protected and data owner ID column are identifiedat steps 505 and 506, respectively, by using SQL information as shown inFIG. 4 in the present embodiment, the present invention is not solimited. That is, a column to be protected may be identified at anypoint of time before step 603 and may be identified based on anyinformation. Also, the data owner ID column may be identified at anypoint of time before step 605 and may be identified based on anyinformation.

Load concentration during access to a database can be preventedaccording to the present embodiment because information stored in thedatabase is checked for compliance with a policy at the time when anapplication uses the information, as has been described above. Forexample, if an application is designed to display 50 people'sinformation out of the information retrieved from a personal informationDB on a display at a time, only the 50 people's information needs to bechecked for compliance with a policy at a time.

Furthermore, unnecessary policy compliance checks can be avoided becausea policy compliance check is performed at the time when the applicationuses information stored in the DB. For example, intended processing maybe completed in effect after 50 people's information is scanned among1,000 people's information that has been hit. In such a case, thebenefits of avoiding unnecessary policy compliance checks issignificant.

According to the conventional techniques, a special database must beprovided that has a mechanism for transforming an SQL query receivedinto an SQL for acquiring only the information that complies with apolicy as the result of the query. In contrast, the present embodimentdoes not require such a special database.

Furthermore, according to the conventional techniques, an extended SQLmust be used for a policy compliance check if information such as whoaccesses information for what purpose is used. According to the presentembodiment, in contrast, an extended SQL does not need to be usedbecause such information is addressed in the privacy protection module.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing an overall configuration of a databasesystem according to the present embodiment;

FIG. 2 shows an example of information stored in a personal informationDB according to the present embodiment;

FIG. 3 shows an example of information managed in a policy serveraccording to the present embodiment;

FIG. 4 shows an example of information stored in an SQL informationstoring section according to the present embodiment;

FIG. 5 is a flowchart showing an operation performed when a privacyprotection module according to the present embodiment is executed; and

FIG. 6 is a flowchart showing an operation performed when the privacyprotection module according to the present embodiment is executed.

DESCRIPTION OF SYMBOLS

-   10 . . . Application-   20 . . . Personal information DB-   30 . . . Policy server-   40 . . . Privacy protection module-   41 . . . Control section-   42 . . . Access information storing section-   43 . . . SQL information storing section-   44 . . . SQL constructing section-   45 . . . Column identifying section-   46 . . . Database accessing section-   47 . . . Policy compliance inquiry section-   48 . . . Inquiry result storing section

1. A database system comprising: data storing means for storing data tobe protected; data processing means for performing predeterminedprocessing by using said data stored in said data storing means; anddata protection means for, at a first point in time, receiving a firstrequest to read said data stored in said data storing means from saiddata processing means by receiving from a user a selection of astatement template for reading said data and a purpose of the access,receiving from said data processing means a user identifier of the user,in response to receiving said selection of said statement template, saidpurpose, and said user identifier of the user, reading said data fromsaid data storing means without determining whether said data satisfiespredetermined criteria, holding said read data without returning saiddata to said data processing means in response to said first request,notifying said data processing means that said data has been read, at alater point in time point when said particular data is to be used bysaid data processing means, receiving from said data processing means asecond request to deliver particular data among said held data, whereinsaid request specifies a record and a column, and in response toreceiving said second request, using said held data, determining whethersaid column is to be protected by accessing stored informationassociated with said statement template, in response to determining thatsaid column is to protected, determining whether said delivery requestsatisfies predetermined criteria based on the purpose of the access, theuser identifier, and information about an owner of said particular data,and delivering said particular data to said data processing means oncondition that said delivery request satisfies said predeterminedcriteria.
 2. The database system according to claim 1, wherein said dataprocessing means accesses said data storing means through said dataprotection means; and said data protection means holds accessinformation for accessing said data storing means and, said dataprotection means holds access information for accessing said datastoring means and, on reading said data from said data storing means,uses said access information to access said data storing means.
 3. Thedatabase system according to claim 1, wherein said data protection meansholds a plurality of database manipulation statements for reading saiddata stored in said data storing means and, in response to receiving aselection of a particular database manipulation statement from amongsaid plurality of database manipulation statements as a request to readsaid data, uses said particular database manipulation statement to readsaid data from said data storing means.
 4. The database system accordingto claim 1, wherein said data protection means holds said plurality ofstatement templates for reading said data stored in said data storingmeans and, in response to receiving a selection of a particular one ofsaid plurality of statement templates and an input of a parameter as arequest to read said data, constructs a database manipulation statementon the basis of said particular statement template and said parameterand uses said database manipulation statement to read said data fromsaid data storing means.
 5. The database system according to claim 1,wherein: said data protection means, in response to receiving from saiddata processing means a request to deliver said particular data,identifies the owner of said particular data.
 6. The database systemaccording to claim 1, wherein: said data protection means, in responseto receiving from said data processing means a request to deliver saidparticular data, sends information about said delivery request toanother computer managing criteria for determining whether saidparticular data is permitted to be delivered to said data processingmeans and determines on the basis of a response from said anothercomputer whether said delivery request satisfies said criteria.
 7. Thedatabase system according to claim 1, wherein, said data protectionmeans returns to said data processing means a response indicating thatsaid delivery request does not satisfy said predetermined criteria oncondition that said delivery request does not satisfy said predeterminedcriteria.
 8. A system comprising a first computer using data stored in adatabase and a second computer managing criteria for the use of saiddata, wherein: said first computer, in response to receiving a firstrequest to read said data stored in said database from an applicationprogram at a first point in time reads said data stored in said databasewithout determining whether said particular data is permitted to bedelivered to said application program and holds said data withoutreturning said data to said application program in response to saidfirst request, and, in response to receiving from said applicationprogram a second request to deliver particular data among said data at alater point in time when said particular data among said data is used bysaid application to display said data, sends information about the useof said particular data to said second computer, wherein said requestspecifies a record and a column; said second computer, in response toreceiving said information about the use of said particular data,determines on the basis of said criteria whether said first computer ispermitted to use said particular data by: determining whether saidcolumn is to be protected by accessing stored information associated astatement template, and in response to determining that said column isto protected, determining on the basis of said criteria, a purpose of anaccess of said particular data, a user identifier, and information aboutan owner of said particular data whether said particular data ispermitted to be delivered to said application program, and returns aresult of the determination to said first computer; and said firstcomputer uses said particular data in response to receiving from saidsecond computer information indicating that said first computer ispermitted to use said particular data.
 9. The system according to claim8, wherein: said first computer delivers said particular data to saidapplication program depending on the result returned from said secondcomputer.
 10. A method for acquiring information, comprising: at a firstpoint in time, receiving a first request from an application to readsaid data stored in a database by receiving from a user a selection of astatement template for reading said data and a purpose of the access;receiving from said application a user identifier of the user; inresponse to receiving said selection of said statement template, saidpurpose, and said user identifier of the user, reading said data fromsaid database without determining whether said data satisfiespredetermined criteria; holding said read data without returning saiddata to said data processing means in response to said first request;notifying said application that said data has been read; at a laterpoint in time point when said particular data is to be used by saidapplication, receiving from said application a second request to deliverparticular data among said held data, wherein said request specifies arecord and a column; and in response to receiving said second request,using said held data determining whether said column is to be protectedby accessing stored information associated with said statement template;in response to determining that said column is to protected, determiningwhether said delivery request satisfies predetermined criteria based onthe purpose of the access, the user identifier, and information about anowner of said particular data; and delivering said particular data tosaid application on condition that said delivery request satisfies saidpredetermined criteria.
 11. The method for acquiring informationaccording to claim 10, wherein reading said data from said databasefurther comprises: reading access information for accessing saiddatabase; and accessing said database by using said read accessinformation.
 12. The method for acquiring information according to claim10, wherein reading said data from said database further comprises:reading a particular database manipulation statement from among aplurality of database manipulation statements for reading said datastored in said database; and reading said data from said database byusing said selected particular database manipulation statement.
 13. Themethod for acquiring information according to claim 10, wherein readingsaid data from said database further comprises: holding a plurality ofstatement templates; receiving selection of a particular statementtemplate from among said plurality of statement templates and input of aparameter as a request to read said data; receiving an input of aparameter; and constructing a database manipulation statement on thebasis of said selected statement template and said input parameter andreading said data from said database by using said database manipulationstatement.
 14. The method for acquiring information according to claim10, wherein determining whether said delivery request to satisfiespredetermined criteria further comprises: in response to receiving saidrequest to deliver said particular data, sending information about saiddelivery request to another computer managing criteria for determiningwhether said particular data is permitted to be delivered; anddetermining on the basis of a response from said another computerwhether said delivery request satisfies said criteria.
 15. A programloaded into main memory by a Central Processing Unit (CPU) for causing acomputer to implement the functions of: at a first point in time,receiving a first request from an application to read said data storedin a database by receiving from a user a selection of a statementtemplate for reading said data and a purpose of the access, receivingfrom said application a user identifier of the user; in response toreceiving said selection of said statement template, said purpose, andsaid user identifier of the user, reading said data from said databasewithout determining whether said data satisfies predetermined criteria;holding said read data notifying said application that said data hasbeen read; at a later point in time point when said particular data isto be used by said application, receiving from said application a secondrequest to deliver particular data among said held data, wherein saidrequest specifies a record and a column; and in response to receivingsaid second request, using said held data, determining whether saidcolumn is to be protected by accessing stored information associatedwith said statement template; in response to determining that saidcolumn is to protected, determining whether said delivery requestsatisfies predetermined criteria based on the purpose of the access, theuser identifier, and information about an owner of said particular data;and delivering said particular data on condition that said deliveryrequest satisfies said predetermined criteria.
 16. The program accordingto claim 15 for further causing the computer to implement the functionsof: holding access information for accessing said database; andaccessing said database by using said access information on reading saiddata from said database.
 17. The program according to claim 15 forfurther causing the computer to implement the functions of: holding aplurality of database manipulation statements for reading said datastored in said database; prompting selection of a particular databasemanipulation statement from among said plurality of databasemanipulation statements as a request to read said data; and reading saiddata from said database by using said selected particular databasemanipulation statement.
 18. The program according to claim 15 forfurther causing the computer to implementing the functions of: holding aplurality of statement templates; receiving selection of a particularstatement template from among said plurality of statement templates andinput of a parameter as a request to read said data; receiving an inputof a parameter; and constructing a database manipulation statement onthe basis of said selected statement template and said input parameterand reading said data from said database by using said databasemanipulation statement.
 19. The program according to claim 15 forfurther causing the computer to implement the function of: in responseto receiving a request to deliver said particular data, identifying theowner of said particular data.
 20. The program according to claim 15 forimplementing, in said function of determining whether said deliveryrequest satisfies said predetermined criteria, the functions of: inresponse to receiving a request to deliver said particular data, sendinginformation about said delivery request to another computer managingcriteria for determining whether said particular data is permitted to bedelivered; and determining on the basis of a response from said anothercomputer whether said delivery request satisfies said criteria.
 21. Theprogram according to claim 15 for further causing the computer toimplement the function of: if said delivery request does not satisfysaid predetermined criteria, returning a response indicating that saiddelivery request does not satisfy said predetermined criteria.
 22. Themethod for acquiring information according to claim 10, wherein saidpredetermined criteria is specified by a privacy protection policy.